Added password encryption client-side using SHA256.

author: Yohann Ferreira <bertram@cegetel.net> 2008-04-21 16:18:03 +0000
committer: Yohann Ferreira <bertram@cegetel.net> 2008-04-21 16:18:03 +0000
commit: ac1a456a90d06ba7765716643257ec33cc513f76 (patch)
tree: 5cc5a9ce24942bcac3d2fa4b45d8d92375313cc1 /src/net
parent: 24681ad4312d804aa06c8ace7d1a9f2f9605a4eb (diff)
download: mana-ac1a456a90d06ba7765716643257ec33cc513f76.tar.gz
mana-ac1a456a90d06ba7765716643257ec33cc513f76.tar.bz2
mana-ac1a456a90d06ba7765716643257ec33cc513f76.tar.xz
mana-ac1a456a90d06ba7765716643257ec33cc513f76.zip
3 files changed, 31 insertions, 18 deletions
diff --git a/src/net/accountserver/account.cpp b/src/net/accountserver/account.cpp
index 9f3bfe5c..bb0214d3 100644
--- a/src/net/accountserver/account.cpp
+++ b/src/net/accountserver/account.cpp
@@ -23,6 +23,9 @@
 
 #include "account.h"
 
+#include <string>
+#include "../../utils/encryption.h"
+
 #include "internal.h"
 
 #include "../connection.h"
@@ -74,34 +77,36 @@ void Net::AccountServer::Account::unregister(const std::string &username,
     MessageOut msg(PAMSG_UNREGISTER);
 
     msg.writeString(username);
-    msg.writeString(password);
+    msg.writeString(Encryption::GetSHA2Hash(
+                    std::string (username + password)));
 
     Net::AccountServer::connection->send(msg);
 }
 
-void Net::AccountServer::Account::changeEmail(const std::string &email)
+void Net::AccountServer::Account::changeEmail(const std::string &username,
+                                                const std::string &email)
 {
     MessageOut msg(PAMSG_EMAIL_CHANGE);
 
+    // Email is sent clearly so the server can validate the data.
+    // Encryption is assumed server-side.
     msg.writeString(email);
 
     Net::AccountServer::connection->send(msg);
 }
 
-void Net::AccountServer::Account::getEmail()
-{
-    MessageOut msg(PAMSG_EMAIL_GET);
-
-    Net::AccountServer::connection->send(msg);
-}
-
 void Net::AccountServer::Account::changePassword(
-        const std::string &oldPassword, const std::string &newPassword)
+                            const std::string &username,
+                            const std::string &oldPassword,
+                            const std::string &newPassword)
 {
     MessageOut msg(PAMSG_PASSWORD_CHANGE);
 
-    msg.writeString(oldPassword);
-    msg.writeString(newPassword);
+    // Change password using SHA2 encryption
+    msg.writeString(Encryption::GetSHA2Hash(
+                    std::string (username + oldPassword)));
+    msg.writeString(Encryption::GetSHA2Hash(
+                    std::string (username + newPassword)));
 
     Net::AccountServer::connection->send(msg);
 }
diff --git a/src/net/accountserver/account.h b/src/net/accountserver/account.h
index 6a8c4e08..c8604717 100644
--- a/src/net/accountserver/account.h
+++ b/src/net/accountserver/account.h
@@ -44,12 +44,12 @@ namespace Net
             void unregister(const std::string &username,
                             const std::string &password);
 
-            void changeEmail(const std::string &email);
+            void changeEmail(const std::string &username,
+                             const std::string &email);
 
-            void getEmail();
-
-            void changePassword(const std::string &oldPassword,
-                    const std::string &newPassword);
+            void changePassword(const std::string &username,
+                                const std::string &oldPassword,
+                                const std::string &newPassword);
         }
     }
 }
diff --git a/src/net/accountserver/accountserver.cpp b/src/net/accountserver/accountserver.cpp
index 651758a6..a641ab47 100644
--- a/src/net/accountserver/accountserver.cpp
+++ b/src/net/accountserver/accountserver.cpp
@@ -23,6 +23,9 @@
 
 #include "accountserver.h"
 
+#include <string>
+#include "../../utils/encryption.h"
+
 #include "internal.h"
 
 #include "../connection.h"
@@ -38,7 +41,9 @@ void Net::AccountServer::login(Net::Connection *connection, int version,
 
     msg.writeInt32(version);
     msg.writeString(username);
-    msg.writeString(password);
+    // The password is hashed
+    msg.writeString(Encryption::GetSHA2Hash(
+                    std::string (username + password)));
 
     Net::AccountServer::connection->send(msg);
 }
@@ -53,6 +58,9 @@ void Net::AccountServer::registerAccount(Net::Connection *connection,
 
     msg.writeInt32(version); // client version
     msg.writeString(username);
+    // When registering, the password and email hash is assumed by server.
+    // Hence, data can be validated safely server-side.
+    // This is the only time we send a clear password.
     msg.writeString(password);
     msg.writeString(email);
author	Yohann Ferreira <bertram@cegetel.net>	2008-04-21 16:18:03 +0000
committer	Yohann Ferreira <bertram@cegetel.net>	2008-04-21 16:18:03 +0000
commit	ac1a456a90d06ba7765716643257ec33cc513f76 (patch)
tree	5cc5a9ce24942bcac3d2fa4b45d8d92375313cc1 /src/net
parent	24681ad4312d804aa06c8ace7d1a9f2f9605a4eb (diff)
download	mana-ac1a456a90d06ba7765716643257ec33cc513f76.tar.gz mana-ac1a456a90d06ba7765716643257ec33cc513f76.tar.bz2 mana-ac1a456a90d06ba7765716643257ec33cc513f76.tar.xz mana-ac1a456a90d06ba7765716643257ec33cc513f76.zip